From jeff@zeroclue.com

Created by jeff@zeroclue.com

The following regex causes perl-5.10.1 to segfault on OpenBSD​:

my $msg = "\x{201C}Go figure\x{201D}";
$msg =~ s{((?​:ev|b))}{$1}i;

jeff@​minimunch​:~ $ perl -e 'my $msg = "\x{201C}Go figure\x{201D}"; $msg =~ s{((?​:ev|b))}{$1}i;'
Segmentation fault (core dumped)

jeff@​minimunch​:~ $ uname -a
OpenBSD minimunch.int.zeroclue.org 4.5 GENERIC#1749 i386

This was uncovered by a failing test case in SVN​::Notify 2.80. From a debugging session​:

  DB<1>
SVN​::Notify​::HTML​::output_log_message(lib/SVN/Notify/HTML.pm​:382)​:
382​: $url = encode_entities($url, '<>&"');
  DB<1>
SVN​::Notify​::HTML​::output_log_message(lib/SVN/Notify/HTML.pm​:383)​:
383​: $msg =~ s{\b((?​:rev(?​:ision)?\s*#?\s*|r)(\d+))\b}{sprintf qq{<a href="$url">$1</a>}, $2}ige;
  DB<1>
SVN​::Notify​::HTML​::output_log_message(/usr/local/lib/perl5/5.10.1/Carp.pm​:28)​:
28​: sub longmess { goto &longmess_jmp }

It appears to be due to Unicode and the non-capturing grouping.

It can also be triggered with actual UTF-8 characters in the source​:

use utf8; my $msg = "“Go figure”";
$msg =~ s{((?​:ev|b))}{$1}i;

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.10.1:

Configured by jeff at Thu Sep  3 22:05:05 PDT 2009.

Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
   
  Platform:
    osname=openbsd, osvers=4.5, archname=OpenBSD.i386-openbsd-64int
    uname='openbsd minimunch.int.zeroclue.org 4.5 generic#1749 i386 '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-O2',
    cppflags='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='3.3.5 (propolice)', gccosandvers='openbsd4.5'
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-Wl,-E  -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib
    libs=-lgdbm -lm -lutil -lc
    perllibs=-lm -lutil -lc
    libc=/usr/lib/libc.so.50.1, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
    cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC  -L/usr/local/lib -fstack-protector'

Locally applied patches:
    


@INC for perl 5.10.1:
    /usr/local/lib/perl5/5.10.1/OpenBSD.i386-openbsd-64int
    /usr/local/lib/perl5/5.10.1
    /usr/local/lib/perl5/site_perl/5.10.1/OpenBSD.i386-openbsd-64int
    /usr/local/lib/perl5/site_perl/5.10.1
    .


Environment for perl 5.10.1:
    HOME=/home/jeff
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/jeff/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.10.0:

Configured by jeff at Sat Nov 22 17:09:46 EST 2008.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.6.18.8, archname=i686-linux
    uname='linux li48-252 2.6.18.8-linode10 #2 smp sat jul 19 20:24:32 edt 2008 i686 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2',
    cppflags='-fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.1.2 20061115 (prerelease) (Debian 4.1.1-21)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.3.6.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.6'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib'

Locally applied patches:
    


@INC for perl 5.10.0:
    /usr/local/lib/perl5/5.10.0/i686-linux
    /usr/local/lib/perl5/5.10.0
    /usr/local/lib/perl5/site_perl/5.10.0/i686-linux
    /usr/local/lib/perl5/site_perl/5.10.0
    .


Environment for perl 5.10.0:
    HOME=/home/jeff
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LC_CTYPE=en_US.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/home/jeff/.bin:/usr/local/bin:/usr/bin:/bin:/usr/games:/usr/local/mysql/bin:/usr/X11R6/bin:/bin:/opt/local/bin:/usr/local/git/bin:/home/jeff/.cabal/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From jeff@zeroclue.com

Sorry for the potentially confusing content of the perlbug report, I had to push the perlbug
output to a different box in order to get the email to go through. As far as I can tell, this bug is
OpenBSD specific.

From @schwern

Jeff Lavallee (via RT) wrote​:

jeff@​minimunch​:~ $ perl -e 'my $msg = "\x{201C}Go figure\x{201D}"; $msg =~ s{((?​:ev|b))}{$1}i;'
Segmentation fault (core dumped)

As a data point, I cannot reproduce this on OS X 10.6 with 5.11.5, 5.10.1,
5.10.0 nor 5.8.9. perl -V's attached.

--
The past has a vote, but not a veto.
  -- Mordecai M. Kaplan

From @schwern

perlV.out

The RT System itself - Status changed from 'new' to 'open'

From david@kineticode.com

On Mar 12, 2010, at 9​:03 AM, Michael G Schwern wrote​:

As a data point, I cannot reproduce this on OS X 10.6 with 5.11.5, 5.10.1, 5.10.0 nor 5.8.9. perl -V's attached.

Yes, it seems specific to OpenBSD, as SVN​::Notify passes all tests on other platforms.

Best,

David

From @iabyn

On Fri, Mar 12, 2010 at 09​:45​:48AM -0800, David E. Wheeler wrote​:

On Mar 12, 2010, at 9​:03 AM, Michael G Schwern wrote​:

As a data point, I cannot reproduce this on OS X 10.6 with 5.11.5, 5.10.1, 5.10.0 nor 5.8.9. perl -V's attached.

Yes, it seems specific to OpenBSD, as SVN​::Notify passes all tests on other platforms.

On Linux, I can get valgrind to complain with 5.10.1 and 5.11.0, but not
5.11.4, 5.11.5 or bleed, so it may have been fixed

This is perl, v5.10.1 (*) built for i686-linux-thread-multi

  ==8213== Invalid read of size 2
  ==8213== at 0x8292889​: S_find_byclass (regexec.c​:1629)
  ==8213== by 0x82952C0​: Perl_regexec_flags (regexec.c​:2087)
  ==8213== by 0x817C8AE​: Perl_pp_subst (pp_hot.c​:2159)
  ==8213== by 0x8131F19​: Perl_runops_debug (dump.c​:1968)
  ==8213== by 0x808885F​: S_run_body (perl.c​:2431)
  ==8213== by 0x8087CD4​: perl_run (perl.c​:2349)
  ==8213== by 0x80600C1​: main (perlmain.c​:117)
  ==8213== Address 0x40e00c0 is 1,776 bytes inside a block of size 4,012 free'd
  ==8213== at 0x4005BCA​: free (vg_replace_malloc.c​:323)
  ==8213== by 0x8132DD2​: Perl_safesysfree (util.c​:262)
  ==8213== by 0x80ABA46​: Perl_parser_free (toke.c​:764)
  ==8213== by 0x82116C2​: Perl_leave_scope (scope.c​:1084)
  ==8213== by 0x820BFCF​: Perl_pop_scope (scope.c​:104)
  ==8213== by 0x8233072​: Perl_pp_leaveeval (pp_ctl.c​:3751)
  ==8213== by 0x8131F19​: Perl_runops_debug (dump.c​:1968)
  ==8213== by 0x8089B3A​: Perl_call_sv (perl.c​:2717)
  ==8213== by 0x8093AA8​: Perl_call_list (perl.c​:5264)
  ==8213== by 0x8074BF2​: S_process_special_blocks (op.c​:5864)
  ==8213== by 0x807492A​: Perl_newATTRSUB (op.c​:5835)
  ==8213== by 0x806BB9F​: Perl_utilize (op.c​:3878)

--
The Enterprise's efficient long-range scanners detect a temporal vortex
distortion in good time, allowing it to be safely avoided via a minor
course correction.
  -- Things That Never Happen in "Star Trek" #21

From jeff@zeroclue.com

It looks like it got fixed between 5.11.1 and 5.11.5​:

jeff@​minimunch​:~ $ cat segv.pl

my $msg = "\x{201C}Go figure\x{201D}";
$msg =~ s{((?​:ev|b))}{$1}i;

jeff@​minimunch​:~ $ /usr/local/perl-5.11.5/bin/perl segv.pl
jeff@​minimunch​:~ $ /usr/local/perl-5.11.1/bin/perl segv.pl
Segmentation fault (core dumped)
jeff@​minimunch​:~ $

From jeff@zeroclue.com

Summary of my perl5 (revision 5 version 11 subversion 1) configuration​:
 
  Platform​:
  osname=openbsd, osvers=4.5, archname=OpenBSD.i386-openbsd
  uname='openbsd minimunch.int.zeroclue.org 4.5 generic#1749 i386 '
  config_args=''
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=undef, use64bitall=undef, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='3.3.5 (propolice)', gccosandvers='openbsd4.5'
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags ='-Wl,-E -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib
  libs=-lgdbm -lm -lutil -lc
  perllibs=-lm -lutil -lc
  libc=/usr/lib/libc.so.50.1, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
  cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC -L/usr/local/lib -fstack-protector'

Characteristics of this binary (from libperl)​:
  Compile-time options​: PERL_DONT_CREATE_GVSV PERL_MALLOC_WRAP
  USE_LARGE_FILES USE_PERLIO
  Built under openbsd
  Compiled at Oct 23 2009 10​:30​:57
  @​INC​:
  /usr/local/perl-5.11.1/lib/site_perl/5.11.1/OpenBSD.i386-openbsd
  /usr/local/perl-5.11.1/lib/site_perl/5.11.1
  /usr/local/perl-5.11.1/lib/5.11.1/OpenBSD.i386-openbsd
  /usr/local/perl-5.11.1/lib/5.11.1
  .

From jeff@zeroclue.com

Summary of my perl5 (revision 5 version 11 subversion 5) configuration​:
 
  Platform​:
  osname=openbsd, osvers=4.5, archname=OpenBSD.i386-openbsd
  uname='openbsd minimunch.int.zeroclue.org 4.5 generic#1749 i386 '
  config_args=''
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=undef, use64bitall=undef, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
  optimize='-O2',
  cppflags='-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='3.3.5 (propolice)', gccosandvers='openbsd4.5'
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags ='-Wl,-E -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib
  libs=-lgdbm -lm -lutil -lc
  perllibs=-lm -lutil -lc
  libc=/usr/lib/libc.so.50.1, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
  cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC -L/usr/local/lib -fstack-protector'

Characteristics of this binary (from libperl)​:
  Compile-time options​: PERL_DONT_CREATE_GVSV PERL_MALLOC_WRAP
  USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF
  Built under openbsd
  Compiled at Mar 11 2010 10​:00​:05
  @​INC​:
  /usr/local/perl-5.11.5/lib/site_perl/5.11.5/OpenBSD.i386-openbsd
  /usr/local/perl-5.11.5/lib/site_perl/5.11.5
  /usr/local/perl-5.11.5/lib/5.11.5/OpenBSD.i386-openbsd
  /usr/local/perl-5.11.5/lib/5.11.5
  .

From @iabyn

Fixed by 0abd0d7

@iabyn - Status changed from 'open' to 'resolved'

From @dolmen

Bug #72996 is probably related (or the same?)​: it is also a case of a
crask in regexp matching of an UTF-8 string.
The code to reproduce is attached here​:
http​://rt.cpan.org/Public/Bug/Display.html?id=54819
I'm sorry, I can't test with other perl versions.

From @dolmen

Sent to the wrong "davem"

Le Dim. Mar. 14 17​:07​:11 2010, dolmen a écrit :

Bug #72996 is probably related (or the same?)​: it is also a case of a
crask in regexp matching of an UTF-8 string.
The code to reproduce is attached here​:
http​://rt.cpan.org/Public/Bug/Display.html?id=54819
I'm sorry, I can't test with other perl versions.